Re: Combining authen-handler with mod_auth
On Mon, 14 Jul 2003 23:26:06 -0500 (CDT), Geoffrey Young wrote: Instead of trying to cram multiple perl-script into the same Authen phase, which btw could not be done without patching Apache and/or mod_perl, if by perl-script you mean mod_perl handlers, that's not really true. currently, mod_perl will run all configured PerlAuthenHandlers until one returns an Apache error (401, 500, etc). when I get back from vacation in a few weeks, the first item on my list is changing this so that mod_perl behaves exactly like Apache: namely, that the first OK passes control to the next phase and terminates the current phase. Sorry, I was not clear enough. The problem is that I need to run mp2-handlers before _and_ after the actual mod_auth (compiled apache binary) module. But apparently mp2 runs _all_ its Authen-handlers at the same time, ie it is not possible to split handling in the same phase between mp2 and apache -- something that I must do (afaik?) because of the ledger-counting. By keeping count like this (and assuming it works in a real situation), one can device lots of cool ways to add login and password policies. Just change relevant part in the Bouncer/Ledger. I'll take a closer look at this in a few weeks when I'm back full time, but right now I think I would have coded it all in the PerlAuthenHandler - I think that basic housekeeping like last-auth, etc all are ok things to put into that phase, so it makes a certain amount of sense to add your denial rules to that phase as well. Ok. But when I tested it in practice it failed because I need perl-Authen-code to run just before, and just after mod_auth has finished. The only way I could figure out how to do that was to put Bouncer in the Access phase and Ledger in the FixUp phase. On other words abusing the phases somewhat. [stuff added :-) ] # Find userinfo in cache. If user is banned, return # HTTP_UNAUTHORIZED else let him through to next handler PerlAccessHandler MyApache::Bouncer # The actual auth module. Patched so it creates an apache # request note if user is unauthorized + let request through # to next handler (DECLINED) _even tho_ user failed! AuthExternal wicauth # If apache note contains current user, update cache (nfailures # count) and return HTTP_UNAUTHORIZED or return OK PerlFixUpHandler MyApache::Ledger anyway, I'm essentially offline for the next two weeks, but if you ping me after that we can talk more. good luck Thanks!
Abusing apache auth phases [FWD: [Re: Combining authen-handler with mod_auth]]
Any thoughts on this stuff? I'd like to try my ideas on the list before going ahead and implementing it in practice. - Forwarded message from Martin Wickman [EMAIL PROTECTED] - From: Martin Wickman [EMAIL PROTECTED] Subject: Re: Combining authen-handler with mod_auth On Mon, Jul 07, 2003 at 10:06:59AM -0700, Geoffrey Young wrote: [...] I think a lot of interesting password policies could be implemented if it was possible to run perl-code before and after existing authentication modules. Is it feasible to add this to the current mod_perl as a runtime option? runtime is not likely to be possible. I'm considering a patch that would make the hook behavior configurable as a compile-time option, Instead of trying to cram multiple perl-script into the same Authen phase (which could not be done without patching Apache and/or mod_perl), I ended up using other phases but Authen. Other phases that should not really be used for authentication like this and breaks a few Apache rules. I specifically had to change mod_auth_ so it returns sets a apache note and returns DECLINED instead of stopping the whole request with a HTTP_UNAUTHORIZED. The change is simple and can be applied to any auth module without much effort. So, I thought I'd ask the list for opinions regarding this poor-mans-approach. Here is the setup: Location /secure/ AuthType Basic AuthName Secure Area Require valid-user # Find userinfo in cache. If user is banned, return # HTTP_UNAUTHORIZED else let him through to next handler PerlAccessHandler MyApache::Bouncer # The actual auth module. Patched so it creates an apache # request note if user is unauthorized + let request through # to next handler (DECLINED) _even tho_ user failed! AuthExternal wicauth # If apache note contains current user, update cache (nfailures # count) and return HTTP_UNAUTHORIZED or return OK PerlFixUpHandler MyApache::Ledger /Location Here is my tidied error_log log which shows how it works. [ User wic with wrong pwd below ] Bouncer: wic not in cache. Letting through. AuthExtern wicauth: Failed for user wic. Ledger: wic not in cache. Adding. Bouncer: wic in cache: 1 --- nfailures AuthExtern wicauth: Failed for user wic Ledger: wic in cache. Updating. [ ... 10 times or something like that ... ] Bouncer: wic in cache: 10 AuthExtern wicauth: Failed for user wic. Ledger: banning wic for 2 hours. Bouncer: wic in cache: banned Bouncer: wic is banned! Bouncer: wic in cache: banned Bouncer: wic is banned! [ The user wic is banned and have to wait for 2 hours until Bouncer will let him through. ] Bouncer: wic banning time has expired. Letting through. AuthExtern wicauth: OK accepted for user wic. Ledger: wic login ok. By keeping count like this (and assuming it works in a real situation), one can device lots of cool ways to add login and password policies. Just change relevant part in the Bouncer/Ledger. (Btw, I am using Cache::FileCache to keep track of number of failed retries.) - End forwarded message -
Re: Combining authen-handler with mod_auth
Instead of trying to cram multiple perl-script into the same Authen phase, which btw could not be done without patching Apache and/or mod_perl, if by perl-script you mean mod_perl handlers, that's not really true. currently, mod_perl will run all configured PerlAuthenHandlers until one returns an Apache error (401, 500, etc). when I get back from vacation in a few weeks, the first item on my list is changing this so that mod_perl behaves exactly like Apache: namely, that the first OK passes control to the next phase and terminates the current phase. see http://marc.theaimsgroup.com/?l=apache-modperl-devm=105431735200617w=2 [stuff snipped] By keeping count like this (and assuming it works in a real situation), one can device lots of cool ways to add login and password policies. Just change relevant part in the Bouncer/Ledger. (Btw, I am using Cache::FileCache to keep track of number of failed retries.) I'll take a closer look at this in a few weeks when I'm back full time, but right now I think I would have coded it all in the PerlAuthenHandler - I think that basic housekeeping like last-auth, etc all are ok things to put into that phase, so it makes a certain amount of sense to add your denial rules to that phase as well. anyway, I'm essentially offline for the next two weeks, but if you ping me after that we can talk more. good luck --Geoff
Re: Combining authen-handler with mod_auth
On Mon, Jul 07, 2003 at 10:06:59AM -0700, Geoffrey Young wrote: [...] I think a lot of interesting password policies could be implemented if it was possible to run perl-code before and after existing authentication modules. Is it feasible to add this to the current mod_perl as a runtime option? runtime is not likely to be possible. I'm considering a patch that would make the hook behavior configurable as a compile-time option, Instead of trying to cram multiple perl-script into the same Authen phase, which btw could not be done without patching Apache and/or mod_perl, I ended up using other phases but Authen. Other phases that should not really be used for authentication like this and breaks a few Apache rules. I specifically had to change mod_auth_ so it returns sets a apache note and returns DECLINED instead of stopping the whole request with a HTTP_UNAUTHORIZED. The change is simple and can be applied to any auth module without much effort. So, I thought I'd ask the list for opinions regarding this poor-mans-approach. Here is the setup: Location /secure/ AuthType Basic AuthName Secure Area Require valid-user # Find userinfo in cache. If user is banned, return # HTTP_UNAUTHORIZED else let him through to next handler PerlAccessHandler MyApache::Bouncer # The actual auth module. Patched so it creates an apache # request note if user is unauthorized + let request through # to next handler (DECLINED) _even tho_ user failed! AuthExternal wicauth # If apache note contains current user, update cache (nfailures # count) and return HTTP_UNAUTHORIZED or return OK PerlFixUpHandler MyApache::Ledger /Location Here is my tidied error_log log which shows how it works. [ User wic with wrong pwd below ] Bouncer: wic not in cache. Letting through. AuthExtern wicauth: Failed for user wic. Ledger: wic not in cache. Adding. Bouncer: wic in cache: 1 --- nfailures AuthExtern wicauth: Failed for user wic Ledger: wic in cache. Updating. [ ... 10 times or something like that ... ] Bouncer: wic in cache: 10 AuthExtern wicauth: Failed for user wic. Ledger: banning wic for 2 hours. Bouncer: wic in cache: banned Bouncer: wic is banned! Bouncer: wic in cache: banned Bouncer: wic is banned! [ The user wic is banned and have to wait for 2 hours until Bouncer will let him through. ] Bouncer: wic banning time has expired. Letting through. AuthExtern wicauth: OK accepted for user wic. Ledger: wic login ok. By keeping count like this (and assuming it works in a real situation), one can device lots of cool ways to add login and password policies. Just change relevant part in the Bouncer/Ledger. (Btw, I am using Cache::FileCache to keep track of number of failed retries.)
Re: Combining authen-handler with mod_auth
Thanks! I guess that may be possible, but somewhat problematic since I like to stay with the distros apache-version. Btw, I remember seeing something about APR_HOOK_(LAST|FIRST|...) in the docs on perl.apache.org. Not implemented yet? I'm not sure what docs you're thinking about, but that change should be ok. I know that I'm using those constants in some XS and all is ok. I think a lot of interesting password policies could be implemented if it was possible to run perl-code before and after existing authentication modules. Is it feasible to add this to the current mod_perl as a runtime option? runtime is not likely to be possible. I'm considering a patch that would make the hook behavior configurable as a compile-time option, however - modperl_hooks.c is autogenerated during the config process, so it should be trivial to change the hook order without folks like you needing to patch the code yourself. --Geoff
Combining authen-handler with mod_auth
Hello The short version: How can I force my mod_perl Authen-handler to run after mod_auth and not before it? The long version: I have been trying to do some clever things using a combination of mod_auth with Authen-handlers in mod_perl2 (v1.99.07-1) and apache 2. The actual implementation is not really important, but for reference see [1]. The handler should count the number of failed retries for each user and then do take appropriate action (for instance, ban the user or log info to a file). My approach is to have a perl-handler run right *after* mod_auth when mod_auth has decided the supplied uid/password did not match [2] I have no problems creating a plain authentication handler in mod_perl, but after trying and trying lots of combinations with perl-handlers I am struggling to get my handler to run *after* mod_auth. Like this: Location /secure/ # AuthAuthoritative Off AuthUserFile /tmp/htpasswd AuthType Basic AuthName Secrets Require valid-user PerlAuthenHandler MyApache::AuthenTest /Location No matter how I configure AuthenTest, it will always run right before mod_auth! Any ideas how do do this, or for that matter, if there is another approach that is better. /Regards Martin [2] http://groups.google.com/groups?hl=enlr=ie=UTF-8selm=be0i9b%2411n3fm%241%40ID-156202.news.dfncis.de [1] I realize there may be issues with HTTP_UNAUTHORIZED causing apache to abort the chain (according to docs anyway), but that can be handled by patching auth_mod if needed.
Re: Combining authen-handler with mod_auth
Martin Wickman wrote: Hello The short version: How can I force my mod_perl Authen-handler to run after mod_auth and not before it? in Apache 1.3 you could control this with CleanModuleList/AddModule, but those directives don't exist in 2.0. I think the only way to do it in 2.0 is to change modperl_hooks.c and recompile. try changing this ap_hook_authen(modperl_authen_handler, NULL, NULL, APR_HOOK_FIRST); to this ap_hook_authen(modperl_authen_handler, NULL, NULL, APR_HOOK_LAST); HTH --Geoff
Re: Combining authen-handler with mod_auth
On Sat, Jul 05, 2003 at 02:28:09PM -0400, Geoffrey Young wrote: Martin Wickman wrote: Hello The short version: How can I force my mod_perl Authen-handler to run after mod_auth and not before it? in Apache 1.3 you could control this with CleanModuleList/AddModule, but those directives don't exist in 2.0. I think the only way to do it in 2.0 is to change modperl_hooks.c and recompile. try changing this ap_hook_authen(modperl_authen_handler, NULL, NULL, APR_HOOK_FIRST); to this ap_hook_authen(modperl_authen_handler, NULL, NULL, APR_HOOK_LAST); Thanks! I guess that may be possible, but somewhat problematic since I like to stay with the distros apache-version. Btw, I remember seeing something about APR_HOOK_(LAST|FIRST|...) in the docs on perl.apache.org. Not implemented yet? I think a lot of interesting password policies could be implemented if it was possible to run perl-code before and after existing authentication modules. Is it feasible to add this to the current mod_perl as a runtime option?